Yes, SOCs can definitely not have CUEC's. That being said, you should see a statement within the SOC that say CUEC's are not required for the operating effectiveness of the controls. If that statement is present, no further action is required on your part (except to document that!). If you do not see any mention of CUEC's or the aforementioned statement, a quick follow up with the Vendor would be recommended to confirm whether CUEC's are not required. Though it doesn't happen often, I'd love to hear how others handle it when CUEC's are not addressed.
Original Message:
Sent: 04-27-2021 09:44 AM
From: Anonymous Member
Subject: SOC Report without CUECs
This message was posted by a user wishing to remain anonymous
Have you ever seen a SOC report that did NOT include CUECs? What do you do?